US8387139B2 - Thread scanning and patching to disable injected malware threats - Google Patents

Thread scanning and patching to disable injected malware threats Download PDF

Info

Publication number
US8387139B2
US8387139B2 US12/025,142 US2514208A US8387139B2 US 8387139 B2 US8387139 B2 US 8387139B2 US 2514208 A US2514208 A US 2514208A US 8387139 B2 US8387139 B2 US 8387139B2
Authority
US
United States
Prior art keywords
thread
malware
code
block
memory
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related, expires
Application number
US12/025,142
Other versions
US20090199297A1 (en
Inventor
Michael S. Jarrett
Adrian M Marinescu
Marius Gheorghe Gheorghescu
George C. Chicioreanu
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Microsoft Technology Licensing LLC
Original Assignee
Microsoft Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Microsoft Corp filed Critical Microsoft Corp
Priority to US12/025,142 priority Critical patent/US8387139B2/en
Assigned to MICROSOFT CORPORATION reassignment MICROSOFT CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MARINESCU, ADRIAN M, CHICIOREANU, GEORGE C., GHEORGHESCU, MARIUS GHEORGHE, JARRETT, MICHAEL S.
Publication of US20090199297A1 publication Critical patent/US20090199297A1/en
Application granted granted Critical
Publication of US8387139B2 publication Critical patent/US8387139B2/en
Assigned to MICROSOFT TECHNOLOGY LICENSING, LLC reassignment MICROSOFT TECHNOLOGY LICENSING, LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MICROSOFT CORPORATION
Expired - Fee Related legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Definitions

  • Public networks such as the Internet are commonly used to allow businesses and consumers to access and share information from a variety of sources.
  • security is often a concern when accessing the Internet because there is a threat of malicious software being downloaded from a website or received in an e-mail which may contain viruses, Trojan horses, or other malicious executable code (collectively referred to as “malware”) that may infect computers inside the business or home.
  • malware malicious executable code
  • malware authors An increasingly common technique used by malware authors is to create new threads of execution inside existing legitimate (i.e., trusted) processes running on a computer system.
  • legitimate i.e., trusted
  • the technique enables the new threads to protect and defend the rest of the malware installation by interfering with or recovering from any changes made by anti-malware products or tools.
  • malware code is located in the memory of processes by extracting the start addresses of processes' threads and then searching near these addresses. Additional blocks of code in memory that are invoked by the code identified by each start address are also identified and the blocks are then matched against scanning signatures associated with known malware threads. If the entire signature can be matched against a subset of the blocks, then the thread is determined to be infected. The infected thread is suspended and in-memory modifications are performed to patch the injected code to render it harmless. Once modified, the thread can be resumed or terminated (as may be specified by the signature) to disable the protection mechanisms of the malware without causing any harm to the process in which the thread is injected.
  • a malware detection module in an anti-malware product detects an instance of malware that is known to inject threads, it invokes a thread scan by a thread scanning module by which threads associated with one or more named processes are matched to a subset of known malware thread signatures.
  • a thread scanning module by which threads associated with one or more named processes are matched to a subset of known malware thread signatures.
  • FIG. 1 shows an illustrative computing environment in which consumer and corporate users share public network infrastructure such as the Internet, and access resources located on the public network;
  • FIG. 2 is a flowchart of an overview of an illustrative method performed by the present thread scanning and patching to detect and disable injected malware;
  • FIG. 3 shows an illustrative computer system that runs an anti-malware product which includes functionality supporting the present thread scanning and patching;
  • FIG. 4 shows components used in an illustrative thread scanning module
  • FIG. 5 is a flowchart of an illustrative method that is performed by a block detection component in the thread scanning module.
  • FIG. 1 shows an illustrative computing environment 100 in which a number of consumer users 110 1, 2 . . . N and business users 116 1, 2 . . . N share common public network infrastructure 122 such as the Internet.
  • Resources 126 like web servers, databases, FTP (file transfer protocol) sites, and other Internet-based or distributed computing-type applications or services, may typically be accessed by users 110 and 116 using personal computers (“PCs”), laptops, and other computing platforms, as representatively indicated by reference numerals 118 and 120 , respectively.
  • PCs personal computers
  • laptops laptops
  • file and data may be shared among users through such facilities as e-mail or peer-to-peer file sharing.
  • malware such as computer viruses, worms, Trojan horses, and rootkits
  • the term malware as used here is a collective noun that refers to viruses, worms, Trojan horses, rootkits, and other code that is intentionally designed to perform malicious tasks on a computer system.
  • Payloads can include, for example, providing backdoor (i.e., unauthorized) access to the computer system, corrupting or deleting data on the computer, stealing information, or halting network service through a denial of service (“DoS”) attack.
  • DoS denial of service
  • the business users 116 typically are located in a corporate network (“corpnet”) that sits behind a firewall 130 that often provides, alone or in combination with other security products (not shown), protection against malware and other threats.
  • Consumer users 110 often utilize locally running anti-malware products such as anti-virus programs, and may also receive some protection against malware from their Internet service provider (“ISP”).
  • ISP Internet service provider
  • malware may use armor that attempts to foil an analysis of the malicious code. This may include detecting when a debugger is running and trying to prevent it from working correctly, or adding lots of meaningless code to make it difficult to determine the purpose of the malicious code.
  • Malware may use a stealth technique to hide itself by intercepting requests for information and returning false data. Malware may also encrypt itself or its payload to prevent detection and data retrieval.
  • malware injection Another technique called “process injection” has become increasingly popular among malware authors to conceal their code from anti-malware products or frustrate attempts to remove the malware.
  • This technique involves injecting the malicious code into legitimate processes that are running on the computer.
  • a remote access Trojan horse may inject malicious code into a process used by a web browser application to avoid detection by a firewall (e.g., firewall 130 ) or the anti-malware product running on a PC.
  • a firewall e.g., firewall 130
  • the security applications running on the firewall or PC which are often rule-based, will often not detect the malware, but only see the trusted Web browser application and associated processes.
  • Malicious code can be injected, for example, by loading executable code such as a DLL (“Dynamically Linked Library”) into a running process's memory.
  • executable code such as a DLL (“Dynamically Linked Library”)
  • Operating systems such as the Microsoft Windows® operating system, commonly provide several different ways to call external functions in a DLL file.
  • Another approach malware authors take is to use the Windows-provided API (application programming interface) for debugging.
  • a new thread is created in the target process with the thread's start address in memory set to the address of the executable malicious code.
  • thread is used here in its conventional sense to mean a set of instructions in program code that performs operations within an address space. Threads typically can execute independently of each other.
  • the present thread scanning and patching arrangement can disable injected malware code, including code that is injected into critical system processes.
  • the thread scanning and patching is implemented using a software module in an anti-malware product.
  • FIG. 2 shows a flowchart for an overview of the techniques used to detect and disable injected malware code using the Winlogon example above.
  • the anti-malware product with the thread scanning and patching module uses a conventional computer hard disk based scanning technique (or other known technique) to detect malware running on the Winlogon process, for example, by comparing files on the hard disk against signatures of known malware.
  • a thread scan is triggered on the Winlogon system process.
  • a thread of malicious code is detected.
  • the code is modified to disable the constant monitoring by the malware.
  • the malware files can be deleted.
  • rebooting the computer system clears the remaining traces of the patched malware thread from Winlogon.
  • FIG. 3 an illustrative computer system 300 is shown that supports an anti-malware product 305 that incorporates a malware detection and remediation module 312 , and a thread scanning module 320 .
  • Computer system 300 is representative of a typical personal computer as used, for example, by a consumer user 110 or by a business user 116 as shown in FIG. 1 .
  • the malware detection and remediation module 312 is arranged to apply any of a variety of known (i.e., “conventional”) techniques to detect malware on the computer system 300 , for example, by scanning files 326 on the computer system's hard disk drive 330 (or other storage medium such as a persistent or other non-volatile memory), and comparing data in the files 326 to signatures of known malware that are contained in a signature repository 335 .
  • known malware detection techniques that may be utilized include, for example, solutions that monitor network traffic leaving the computer system 300 , or methodologies which employ memory-based scanning.
  • the signature repository 335 is used to hold signatures used for detecting malware with conventional disk-based techniques, as well as for holding signatures of known malware threads, termed “thread scanning signatures.” In alternative implementations, the signatures used to support the malware detection techniques can be held separately from the thread scanning signatures.
  • signatures 335 will contain instructions to direct the malware detection and remediation module 312 to invoke a thread scan (using the thread scanning module 320 ) for only a subset of all known malware threads. Sometimes, therefore, only specific processes 341 identified by name will be subjected to thread scanning. By being selective with respect to both the thread scanning targets and the number of malware signatures being matched against, an effective solution to injected malware can be provided while maintaining the overall performance of the computer system 300 .
  • the malware detection and remediation module 312 makes a call to the thread scanning module and will pass the process name and Thread Signature ID as parameters to the thread scanning module 320 .
  • the thread scanning module 320 will locate threads 346 associated with the named processes in memory 350 in order to begin the thread scanning and patching technique. The details of the techniques used and the functional components of the thread scanning module are shown in FIG. 4 and described in more detail below.
  • the thread scanning module 320 includes a thread enumeration component 410 , a block detection complement 420 , a block matching component 430 , and a thread remediation component 440 .
  • the thread enumeration component 410 takes the process name as an input and locates candidate threads for scanning based on the process name.
  • the thread enumeration component 410 relies upon operating system functionality to generate a list of running processes on the computer system 300 .
  • the running process list is filtered by eliminating any process whose process name does not match the name received from the malware detection and remediation module 312 .
  • Each process that remains after the filtering is identified by a Process ID.
  • the operating system is queried to generate a list of threads for that process where each thread is identified by a Thread ID.
  • the thread enumeration component 410 then queries the operating system to obtain the start address of each thread's code in the process's memory.
  • the thread enumeration component 410 forwards the thread list (Thread ID, Process ID, Entry Point) to the block detection component 420 .
  • the trailing asterisk notation used in FIG. 4 “(x)*” means “zero or more of (x)”.
  • the notation (Thread ID, Process ID, Entry Point)* means that the thread list produced by the thread enumeration component 410 includes zero or more entries, each entry containing all of Thread ID, Process ID, and Entry Point.
  • the block detection module 420 uses the thread list (Thread ID, Process ID, Entry Point), and Thread Signature ID as inputs to analyze the machine code stored at a start address, and attempts to determine locations in memory where more code exists and the thread executes.
  • the block detection component 420 then generates a list of detected blocks which is forwarded to the block matching component 430 , (where each block in the list is identified by Block Address) to which blocks in a given signature can be matched against.
  • the list is in the form (Thread ID, Process ID, Block Address*)* which means that there are zero or more entries in the block list where each entry contains a Thread ID, a Process ID, and zero or more Block addresses.
  • the block detection module 420 accesses the memory space of the process to which the thread belongs. As shown in FIG. 5 , at 501 , a queue of memory addresses is formed where the start point address thread is the initial entry. At 502 , the first address in the memory queue is removed. At 503 , if the address is inside a block on the block list, then the step at 501 is repeated.
  • the machine code of the address in the memory address queue is examined.
  • the machine code jumps to new addresses in the memory, then those new addresses are added to the memory address queue.
  • the block is added to the block list.
  • the steps 501 - 506 are iterated so long as there are entries in the memory address queue, as indicated at 507 , and the size of the block list is smaller than a predefined limit, as indicated at 508 .
  • This limit will typically be selected to meet the needs of a particular implementation as more resources in the computer system 300 will typically be consumed as the size of the block list increases.
  • block matching component 430 takes the detected block list (Thread ID, Process ID, Block Address*)* and Thread Signature ID as inputs. Each block is attempted to be matched against a set of blocks in a thread scanning signature in signatures 335 . If all the blocks in the given thread scanning signature are matched, then the thread is determined to be infected with malicious code.
  • each thread signature in the signature repository 335 defines the partial contents of multiple blocks of memory. To declare a thread as infected, every partial block in the thread scanning signature must be matched against one of the blocks identified by the block detection component 420 . However, as only the thread scanning signatures explicitly identified by the Thread Signature ID (that is passed as a parameter to the thread scanning module 320 ) are used for the matching, resources in the computer system 300 can generally be used efficiently.
  • threads that match any thread scanning signatures are passed back, by Thread ID and Malware Name, to the malware detection and remediation module 312 or other system or sub-system running on the computer system 300 , for example, to be reported by the anti-malware product to an end-user, or system administrator.
  • a list of matched blocks for any detected thread and malware name (Thread ID, Malware Name, Matched Blocks*)* is reported to the thread remediation component 440 .
  • the matching thread scanning signatures from repository 335 are also passed as shown in FIG. 4 .
  • the thread remediation component 440 takes the identity of the malware thread and the list of matched blocks as inputs. Each thread reported to the remediation component 440 is suspended.
  • the matching thread scanning signature which is typically arranged to contain patch instructions, is then examined.
  • the patch instructions reference specific locations within the blocks and provide new values for the memory in these locations. The new values are written to the specified locations so that the process memory associated with the infected thread is modified.
  • the thread may either be resumed or terminated, depending on the instructions in the thread scanning signature.
  • a report may then be forwarded by Thread ID, Malware Name and Result (e.g., resumed, terminated), as indicated by arrow 442 to the malware detection and remediation module 312 or other system or sub-system running on the computer system 300 .

Abstract

An arrangement for scanning and patching injected malware code that is executing in otherwise legitimate processes running on a computer system is provided in which malware code is located in the memory of processes by extracting the start addresses of processes' threads and then searching near these addresses. Additional blocks of code in memory that are invoked by the code identified by each start address are also identified and the blocks are then matched against scanning signatures associated with known malware threads. If the entire signature can be matched against a subset of the blocks, then the thread is determined to be infected. The infected thread is suspended and in-memory modifications are performed to patch the injected code to render it harmless. The thread can be resumed or terminated to disable the protection mechanisms of the malware without causing any harm to the process in which the thread is injected.

Description

BACKGROUND
Public networks such as the Internet are commonly used to allow businesses and consumers to access and share information from a variety of sources. However, security is often a concern when accessing the Internet because there is a threat of malicious software being downloaded from a website or received in an e-mail which may contain viruses, Trojan horses, or other malicious executable code (collectively referred to as “malware”) that may infect computers inside the business or home.
An increasingly common technique used by malware authors is to create new threads of execution inside existing legitimate (i.e., trusted) processes running on a computer system. Known as code or process injection, the technique enables the new threads to protect and defend the rest of the malware installation by interfering with or recovering from any changes made by anti-malware products or tools.
Unfortunately, it is difficult for existing anti-malware products to identify such threads of execution accurately because the malicious code could be anywhere in the memory address space of any running process and the memory is not uniquely linked to a specific thread. In addition, even if the malicious code is detected by the anti-malware product, the process cannot always be killed as a whole. For example, if the running process is a user application process, killing it will cause the user to lose unsaved data. If the running process is a critical system process, killing it would cause the operating system to immediately crash.
This Background is provided to introduce a brief context for the Summary and Detailed Description that follow. This Background is not intended to be an aid in determining the scope of the claimed subject matter nor be viewed as limiting the claimed subject matter to implementations that solve any or all of the disadvantages or problems presented above.
SUMMARY
An arrangement for scanning and patching injected malware code that is executing in otherwise legitimate processes running on a computer system is provided in which malware code is located in the memory of processes by extracting the start addresses of processes' threads and then searching near these addresses. Additional blocks of code in memory that are invoked by the code identified by each start address are also identified and the blocks are then matched against scanning signatures associated with known malware threads. If the entire signature can be matched against a subset of the blocks, then the thread is determined to be infected. The infected thread is suspended and in-memory modifications are performed to patch the injected code to render it harmless. Once modified, the thread can be resumed or terminated (as may be specified by the signature) to disable the protection mechanisms of the malware without causing any harm to the process in which the thread is injected.
In an illustrative example, when a malware detection module in an anti-malware product detects an instance of malware that is known to inject threads, it invokes a thread scan by a thread scanning module by which threads associated with one or more named processes are matched to a subset of known malware thread signatures. By limiting the number of scanning targets and malware thread signatures against which they are matched, very effective scanning and patching may be realized without significantly impacting overall computer system performance.
This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter.
DESCRIPTION OF THE DRAWINGS
FIG. 1 shows an illustrative computing environment in which consumer and corporate users share public network infrastructure such as the Internet, and access resources located on the public network;
FIG. 2 is a flowchart of an overview of an illustrative method performed by the present thread scanning and patching to detect and disable injected malware;
FIG. 3 shows an illustrative computer system that runs an anti-malware product which includes functionality supporting the present thread scanning and patching;
FIG. 4 shows components used in an illustrative thread scanning module; and
FIG. 5 is a flowchart of an illustrative method that is performed by a block detection component in the thread scanning module.
Like reference numerals indicate like elements in the drawings. Elements are not drawn to scale unless otherwise indicated.
DETAILED DESCRIPTION
FIG. 1 shows an illustrative computing environment 100 in which a number of consumer users 110 1, 2 . . . N and business users 116 1, 2 . . . N share common public network infrastructure 122 such as the Internet. Resources 126 like web servers, databases, FTP (file transfer protocol) sites, and other Internet-based or distributed computing-type applications or services, may typically be accessed by users 110 and 116 using personal computers (“PCs”), laptops, and other computing platforms, as representatively indicated by reference numerals 118 and 120, respectively. In addition, file and data may be shared among users through such facilities as e-mail or peer-to-peer file sharing.
While the Internet has been invaluable in enabling positive and productive computing experiences for many users, it unfortunately has been a transport mechanism by which malware such as computer viruses, worms, Trojan horses, and rootkits may be distributed to infect computer systems around the world. The term malware as used here is a collective noun that refers to viruses, worms, Trojan horses, rootkits, and other code that is intentionally designed to perform malicious tasks on a computer system.
Once malware has reached a computer system over a transport mechanism, it will generally attempt to perform some malicious action, generally called a “payload.” Payloads can include, for example, providing backdoor (i.e., unauthorized) access to the computer system, corrupting or deleting data on the computer, stealing information, or halting network service through a denial of service (“DoS”) attack.
The business users 116 typically are located in a corporate network (“corpnet”) that sits behind a firewall 130 that often provides, alone or in combination with other security products (not shown), protection against malware and other threats. Consumer users 110 often utilize locally running anti-malware products such as anti-virus programs, and may also receive some protection against malware from their Internet service provider (“ISP”).
Unfortunately, many malware examples employ some kind of self-defense or protection mechanism to help reduce the likelihood of detection and/or removal by anti-malware products. For example, malware may use armor that attempts to foil an analysis of the malicious code. This may include detecting when a debugger is running and trying to prevent it from working correctly, or adding lots of meaningless code to make it difficult to determine the purpose of the malicious code. Malware may use a stealth technique to hide itself by intercepting requests for information and returning false data. Malware may also encrypt itself or its payload to prevent detection and data retrieval.
Another technique called “process injection” has become increasingly popular among malware authors to conceal their code from anti-malware products or frustrate attempts to remove the malware. This technique involves injecting the malicious code into legitimate processes that are running on the computer. For example, a remote access Trojan horse may inject malicious code into a process used by a web browser application to avoid detection by a firewall (e.g., firewall 130) or the anti-malware product running on a PC. Not only will the malicious code be provided with Internet access, but the security applications running on the firewall or PC, which are often rule-based, will often not detect the malware, but only see the trusted Web browser application and associated processes.
Malicious code can be injected, for example, by loading executable code such as a DLL (“Dynamically Linked Library”) into a running process's memory. Operating systems, such as the Microsoft Windows® operating system, commonly provide several different ways to call external functions in a DLL file. Another approach malware authors take is to use the Windows-provided API (application programming interface) for debugging. Typically, a new thread is created in the target process with the thread's start address in memory set to the address of the executable malicious code. It is noted that the term “thread” is used here in its conventional sense to mean a set of instructions in program code that performs operations within an address space. Threads typically can execute independently of each other.
Even in cases where the injected malicious code can be detected, it can be often very difficult to remove, particularly when a system process has been impacted. One example of a critical system process in the Windows operating system is Winlogon. Terminating this process can often cause the computer system to immediately crash. This characteristic makes this process a popular target for malware authors. The author may configure the malware to create a custom thread in Winlogon to constantly monitor and then replace any files containing the malware code which are detected and deleted by anti-malware products.
The present thread scanning and patching arrangement can disable injected malware code, including code that is injected into critical system processes. In an illustrative example, the thread scanning and patching is implemented using a software module in an anti-malware product. FIG. 2 shows a flowchart for an overview of the techniques used to detect and disable injected malware code using the Winlogon example above. At 201, the anti-malware product with the thread scanning and patching module uses a conventional computer hard disk based scanning technique (or other known technique) to detect malware running on the Winlogon process, for example, by comparing files on the hard disk against signatures of known malware. At 202, a thread scan is triggered on the Winlogon system process. At 203, a thread of malicious code is detected. At 204, the code is modified to disable the constant monitoring by the malware. At 205, the malware files can be deleted. At 206, rebooting the computer system clears the remaining traces of the patched malware thread from Winlogon.
Details of the thread scanning and patching technique are shown in FIGS. 3-5 and described in the accompanying text. Turning now to FIG. 3, an illustrative computer system 300 is shown that supports an anti-malware product 305 that incorporates a malware detection and remediation module 312, and a thread scanning module 320. Computer system 300 is representative of a typical personal computer as used, for example, by a consumer user 110 or by a business user 116 as shown in FIG. 1.
The malware detection and remediation module 312, in this example, is arranged to apply any of a variety of known (i.e., “conventional”) techniques to detect malware on the computer system 300, for example, by scanning files 326 on the computer system's hard disk drive 330 (or other storage medium such as a persistent or other non-volatile memory), and comparing data in the files 326 to signatures of known malware that are contained in a signature repository 335. Other conventional malware detection techniques that may be utilized include, for example, solutions that monitor network traffic leaving the computer system 300, or methodologies which employ memory-based scanning.
The signature repository 335 is used to hold signatures used for detecting malware with conventional disk-based techniques, as well as for holding signatures of known malware threads, termed “thread scanning signatures.” In alternative implementations, the signatures used to support the malware detection techniques can be held separately from the thread scanning signatures.
In most implementations of the present arrangement, signatures 335 will contain instructions to direct the malware detection and remediation module 312 to invoke a thread scan (using the thread scanning module 320) for only a subset of all known malware threads. Sometimes, therefore, only specific processes 341 identified by name will be subjected to thread scanning. By being selective with respect to both the thread scanning targets and the number of malware signatures being matched against, an effective solution to injected malware can be provided while maintaining the overall performance of the computer system 300.
Accordingly, when malware is detected for which thread scanning is utilized, the malware detection and remediation module 312 makes a call to the thread scanning module and will pass the process name and Thread Signature ID as parameters to the thread scanning module 320. The thread scanning module 320 will locate threads 346 associated with the named processes in memory 350 in order to begin the thread scanning and patching technique. The details of the techniques used and the functional components of the thread scanning module are shown in FIG. 4 and described in more detail below.
As shown in FIG. 4, the thread scanning module 320 includes a thread enumeration component 410, a block detection complement 420, a block matching component 430, and a thread remediation component 440.
The thread enumeration component 410 takes the process name as an input and locates candidate threads for scanning based on the process name. The thread enumeration component 410 relies upon operating system functionality to generate a list of running processes on the computer system 300. The running process list is filtered by eliminating any process whose process name does not match the name received from the malware detection and remediation module 312.
Each process that remains after the filtering is identified by a Process ID. For each such process, the operating system is queried to generate a list of threads for that process where each thread is identified by a Thread ID. The thread enumeration component 410 then queries the operating system to obtain the start address of each thread's code in the process's memory.
The thread enumeration component 410 forwards the thread list (Thread ID, Process ID, Entry Point) to the block detection component 420. It is noted that the trailing asterisk notation used in FIG. 4, “(x)*” means “zero or more of (x)”. Thus, for example, the notation (Thread ID, Process ID, Entry Point)* means that the thread list produced by the thread enumeration component 410 includes zero or more entries, each entry containing all of Thread ID, Process ID, and Entry Point.
The block detection module 420 uses the thread list (Thread ID, Process ID, Entry Point), and Thread Signature ID as inputs to analyze the machine code stored at a start address, and attempts to determine locations in memory where more code exists and the thread executes. The block detection component 420 then generates a list of detected blocks which is forwarded to the block matching component 430, (where each block in the list is identified by Block Address) to which blocks in a given signature can be matched against. The list is in the form (Thread ID, Process ID, Block Address*)* which means that there are zero or more entries in the block list where each entry contains a Thread ID, a Process ID, and zero or more Block addresses.
More specifically, for each thread, the block detection module 420 accesses the memory space of the process to which the thread belongs. As shown in FIG. 5, at 501, a queue of memory addresses is formed where the start point address thread is the initial entry. At 502, the first address in the memory queue is removed. At 503, if the address is inside a block on the block list, then the step at 501 is repeated.
At 504, the machine code of the address in the memory address queue is examined. At 505, if the machine code jumps to new addresses in the memory, then those new addresses are added to the memory address queue. At 506, when the end of the block of code is found, then the block is added to the block list.
The steps 501-506 are iterated so long as there are entries in the memory address queue, as indicated at 507, and the size of the block list is smaller than a predefined limit, as indicated at 508. This limit will typically be selected to meet the needs of a particular implementation as more resources in the computer system 300 will typically be consumed as the size of the block list increases.
Returning again to FIG. 4, block matching component 430 takes the detected block list (Thread ID, Process ID, Block Address*)* and Thread Signature ID as inputs. Each block is attempted to be matched against a set of blocks in a thread scanning signature in signatures 335. If all the blocks in the given thread scanning signature are matched, then the thread is determined to be infected with malicious code.
More specifically, each thread signature in the signature repository 335 defines the partial contents of multiple blocks of memory. To declare a thread as infected, every partial block in the thread scanning signature must be matched against one of the blocks identified by the block detection component 420. However, as only the thread scanning signatures explicitly identified by the Thread Signature ID (that is passed as a parameter to the thread scanning module 320) are used for the matching, resources in the computer system 300 can generally be used efficiently.
As indicated by arrow 435, threads that match any thread scanning signatures are passed back, by Thread ID and Malware Name, to the malware detection and remediation module 312 or other system or sub-system running on the computer system 300, for example, to be reported by the anti-malware product to an end-user, or system administrator. A list of matched blocks for any detected thread and malware name (Thread ID, Malware Name, Matched Blocks*)* is reported to the thread remediation component 440. The matching thread scanning signatures from repository 335 are also passed as shown in FIG. 4.
The thread remediation component 440 takes the identity of the malware thread and the list of matched blocks as inputs. Each thread reported to the remediation component 440 is suspended. The matching thread scanning signature, which is typically arranged to contain patch instructions, is then examined. The patch instructions reference specific locations within the blocks and provide new values for the memory in these locations. The new values are written to the specified locations so that the process memory associated with the infected thread is modified.
Once modified, the thread may either be resumed or terminated, depending on the instructions in the thread scanning signature. A report may then be forwarded by Thread ID, Malware Name and Result (e.g., resumed, terminated), as indicated by arrow 442 to the malware detection and remediation module 312 or other system or sub-system running on the computer system 300.
Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.

Claims (20)

1. A method for disabling malicious functionality in a thread that is injected into a process running on a computer system, the method comprising the steps of:
receiving, by the computer system comprising at least one memory, identification of named processes in which malware code is suspected to have been injected;
generating a query arranged for identifying threads associated with the named processes;
extracting a start address location in the named processes' memory for each of the threads;
searching for additional locations invoked by the start address for each of the threads, the searching comprising:
forming a memory address queue wherein a start point of the queue is the start address location;
removing an address from the queue when that address is inside a block on a block list;
examining machine code at the address when the address is not inside the block list, the machine code being examined to identify new addresses; and
adding the new addresses to the queue if the machine code jumps to the new addresses or adding a block of code to the block list when end of the block is found;
responsive to the searching, listing the blocks of code that are associated with the threads;
matching the blocks of code with blocks in a thread scanning signature to determine if a thread is infected with malware, the thread scanning signature defining partial contents of blocks of memory; and
declaring the thread as infected if identified blocks of code match all the blocks in the thread scanning signature.
2. The method of claim 1 including the further steps of receiving patching instructions from the thread scanning signature and performing in-memory modifications to the malware code.
3. The method of claim 2 including a further step of suspending the thread.
4. The method of claim 2 including a further step of terminating the thread or resuming the thread once the in-memory modifications have been performed.
5. The method of claim 1 in which the identification is received from a malware detection module in response to the detection of malware, the malware detection module being arranged to detect malware using one or more conventional detection techniques.
6. The method of claim 1 in which the searching further Comprises iterating the searching steps so long as addresses remain in the queue and length of the block list is below a predefined limit.
7. The method of claim 1 in which the query is directed to an operating system running on the computer.
8. The method of claim 1 in which the extracting is performed by obtaining the start address of the thread from an operating system running on the computer.
9. A computer storage medium, the computer storage medium not consisting of a propagating signal, storing instructions which, when executed by one or more processors disposed in an electronic device, implements a thread scanning module, comprising:
a thread enumeration component arranged for locating candidate threads for thread scanning for named processes that are identified as being suspected of having been compromised by injected malware, and further arranged for determining a start address in the named processes' memory for the threads;
a block detection component operatively coupled to the thread enumeration component and arranged for locating blocks of code executed by the threads, that:
forms a memory address queue wherein a start point of the queue is the start address location;
removes an address from the queue when that address is inside a block on a block list;
examines machine code at the address when the address is not inside the block list, the machine code being examined to identify new addresses; and
adds the new addresses to the queue if the machine code jumps to the new addresses or adding a block of code to the block list when end of the block is found;
a block matching component operatively coupled to the block detection component and arranged for matching the blocks of code with stored thread scanning signatures of known malware threads; and
a thread remediation component operatively coupled to the block matching component and arranged for suspending execution of code in the thread.
10. The computer storage medium of claim 9 in which the named processes are identified by a malware detector that (a) identifies malware by comparing a file on a storage volume with a signature of known malware, or (b) monitors network traffic out of the electronic device.
11. The computer storage medium of claim 10 in which the thread remediation component is further arranged to perform in-memory modification of the threads to defeat the threads' self-defense or protection mechanisms.
12. The computer storage medium of claim 11 in which the thread remediation component is further arranged to resume the threads once the in-memory modification has been performed.
13. The computer storage medium of claim 10 in which the thread remediation component is further arranged to kill the threads.
14. The computer storage medium of claim 11 in which the candidate threads are located by querying the operating system to generate a list of threads that are associated with the named processes.
15. A system, comprising:
a processing unit operatively coupled to at least one memory;
a malware detection module arranged for detecting malware known to inject a thread into a process by (a) scanning data files located on a storage medium and comparing the scanned data files against signatures of known malware, or (b) by monitoring traffic out of a computing system, or (c) by scanning memory of the computing system, and being further arranged for invoking a thread scan for a named process associated with the thread;
a thread scanning module operatively coupled to the malware detection module, the thread scanning module being arranged for locating, responsively to the invoking, code blocks in memory executed by the thread, the thread scanning module comprising at least a thread remediation component performing remediation of an infected thread, the remediation including performing in-memory modification of the infected thread, the thread scanning module comprises a block detection module that:
forms a memory address queue wherein a start point of the queue is the start address location;
removes an address from the queue when that address is inside a block on a block list;
examines machine code at the address when the address is not inside the block list, the machine code being examined to identify new addresses; and
adds the new addresses to the queue if the machine code jumps to the new addresses or adding a block of code to the block list when end of the block is found; and
a signature repository for storing thread scanning signatures to which the code blocks are matched to determine if the thread is infected with malware.
16. The system of claim 15 in which the thread scanning module locates the code blocks by accessing a memory space used by the named process to which the thread belongs.
17. The system of claim 15 in which the remediation further including terminating the infected thread.
18. The system of claim 17 in which the thread scanning module is arranged for generating a report containing information about the infected thread, the report containing a malware name and a result of the remediation.
19. The system of claim 15 in which the signatures comprises instructions to invoke a thread scan.
20. The system of claim 15 in which the remediation further include resuming the threads once the in-memory modification has been performed.
US12/025,142 2008-02-04 2008-02-04 Thread scanning and patching to disable injected malware threats Expired - Fee Related US8387139B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US12/025,142 US8387139B2 (en) 2008-02-04 2008-02-04 Thread scanning and patching to disable injected malware threats

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US12/025,142 US8387139B2 (en) 2008-02-04 2008-02-04 Thread scanning and patching to disable injected malware threats

Publications (2)

Publication Number Publication Date
US20090199297A1 US20090199297A1 (en) 2009-08-06
US8387139B2 true US8387139B2 (en) 2013-02-26

Family

ID=40933090

Family Applications (1)

Application Number Title Priority Date Filing Date
US12/025,142 Expired - Fee Related US8387139B2 (en) 2008-02-04 2008-02-04 Thread scanning and patching to disable injected malware threats

Country Status (1)

Country Link
US (1) US8387139B2 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140150102A1 (en) * 2012-11-29 2014-05-29 At&T Intellectual Property I, L.P. Detecting altered applications using network traffic data
US20150047044A1 (en) * 2013-08-06 2015-02-12 Medknex Software, Llc System and methods for protecting and using digital data
US20190294796A1 (en) * 2018-03-23 2019-09-26 Microsoft Technology Licensing, Llc Resolving anomalies for network applications using code injection
US10496812B2 (en) 2013-09-06 2019-12-03 Michael Guidry Systems and methods for security in computer systems
US10664594B2 (en) 2017-06-30 2020-05-26 Microsoft Technology Licensing, Llc Accelerated code injection detection using operating system controlled memory attributes
US10783247B1 (en) * 2017-02-21 2020-09-22 Triad National Security, Llc Software classification using phylogenetic techniques

Families Citing this family (57)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130276119A1 (en) * 2008-03-11 2013-10-17 Jonathan L. Edwards System, method, and computer program product for reacting to a detection of an attempt by a process that is unknown to control a process that is known
KR100870714B1 (en) * 2008-06-19 2008-11-27 (주)휴모션 Method for blocking harmful internet sites in real-time by approaching engine to object property
US8612995B1 (en) * 2009-03-31 2013-12-17 Symantec Corporation Method and apparatus for monitoring code injection into a process executing on a computer
US8424071B2 (en) * 2009-04-15 2013-04-16 International Business Machines Corporation Method and apparatus for secure and reliable computing
US8214903B2 (en) * 2009-10-02 2012-07-03 International Business Machines Corporation Analysis of scripts
KR101663013B1 (en) * 2010-01-15 2016-10-06 삼성전자주식회사 Apparatus and method for detecting code injection attack
US11411965B2 (en) * 2010-03-19 2022-08-09 Jeffrey Williams Method and system of attack detection and protection in computer systems
US9135443B2 (en) * 2010-05-06 2015-09-15 Mcafee, Inc. Identifying malicious threads
US9767282B2 (en) 2010-12-14 2017-09-19 Microsoft Technology Licensing, Llc Offline scan, clean and telemetry using installed antimalware protection components
US9858415B2 (en) 2011-06-16 2018-01-02 Microsoft Technology Licensing, Llc Cloud malware false positive recovery
KR101206853B1 (en) 2011-06-23 2012-11-30 주식회사 잉카인터넷 System and method for controlling network access
US8918878B2 (en) * 2011-09-13 2014-12-23 F-Secure Corporation Restoration of file damage caused by malware
US9158893B2 (en) * 2012-02-17 2015-10-13 Shape Security, Inc. System for finding code in a data flow
GB2502774B (en) * 2012-05-29 2014-07-02 Appsense Ltd Improvements in and relating to managing process image hijacks
US10332005B1 (en) * 2012-09-25 2019-06-25 Narus, Inc. System and method for extracting signatures from controlled execution of applications and using them on traffic traces
CN102982281B (en) * 2012-11-09 2016-03-30 北京奇虎科技有限公司 Program state testing method and system
CN102999720B (en) * 2012-11-09 2015-09-16 北京奇虎科技有限公司 Program identification method and system
CN103001947B (en) * 2012-11-09 2015-09-30 北京奇虎科技有限公司 A kind of program processing method and system
US9560069B1 (en) 2012-12-02 2017-01-31 Symantec Corporation Method and system for protection of messages in an electronic messaging system
WO2014145805A1 (en) * 2013-03-15 2014-09-18 Mandiant, Llc System and method employing structured intelligence to verify and contain threats at endpoints
US8869281B2 (en) 2013-03-15 2014-10-21 Shape Security, Inc. Protecting against the introduction of alien content
US9275225B2 (en) * 2013-03-15 2016-03-01 Intel Corporation Linear address mapping protection
US9411953B1 (en) * 2013-05-24 2016-08-09 Symantec Corporation Tracking injected threads to remediate malware
CN103679024B (en) * 2013-11-19 2015-03-25 百度在线网络技术(北京)有限公司 Virus treating method and device
US9225729B1 (en) 2014-01-21 2015-12-29 Shape Security, Inc. Blind hash compression
US10298599B1 (en) 2014-09-19 2019-05-21 Shape Security, Inc. Systems for detecting a headless browser executing on a client computer
US10671726B1 (en) * 2014-09-22 2020-06-02 Fireeye Inc. System and method for malware analysis using thread-level event monitoring
US10476947B1 (en) 2015-03-02 2019-11-12 F5 Networks, Inc Methods for managing web applications and devices thereof
US9842209B2 (en) * 2015-05-08 2017-12-12 Mcafee, Llc Hardened event counters for anomaly detection
US11616806B1 (en) 2015-05-08 2023-03-28 F5, Inc. Methods for protecting web based resources from D/DoS attacks and devices thereof
WO2016186902A1 (en) * 2015-05-20 2016-11-24 Alibaba Group Holding Limited Detecting malicious files
CN106295328B (en) 2015-05-20 2019-06-18 阿里巴巴集团控股有限公司 File test method, apparatus and system
US9986058B2 (en) 2015-05-21 2018-05-29 Shape Security, Inc. Security systems for mitigating attacks from a headless browser executing on a client computer
US20160357958A1 (en) * 2015-06-08 2016-12-08 Michael Guidry Computer System Security
US10083296B2 (en) 2015-06-27 2018-09-25 Mcafee, Llc Detection of malicious thread suspension
WO2017007705A1 (en) 2015-07-06 2017-01-12 Shape Security, Inc. Asymmetrical challenges for web security
WO2017007936A1 (en) 2015-07-07 2017-01-12 Shape Security, Inc. Split serving of computer code
US10614210B2 (en) * 2015-07-31 2020-04-07 Digital Guardian, Inc. Systems and methods of protecting data from injected malware
US10375026B2 (en) 2015-10-28 2019-08-06 Shape Security, Inc. Web transaction status tracking
US10212130B1 (en) 2015-11-16 2019-02-19 Shape Security, Inc. Browser extension firewall
US10581902B1 (en) 2015-11-30 2020-03-03 F5 Networks, Inc. Methods for mitigating distributed denial of service attacks and devices thereof
US10834110B1 (en) 2015-12-18 2020-11-10 F5 Networks, Inc. Methods for preventing DDoS attack based on adaptive self learning of session and transport layers and devices thereof
US10397250B1 (en) * 2016-01-21 2019-08-27 F5 Networks, Inc. Methods for detecting remote access trojan malware and devices thereof
EP3414695B1 (en) 2016-02-12 2021-08-11 Shape Security, Inc. Reverse proxy computer: deploying countermeasures in response to detecting an autonomous browser executing on a client computer
US10678919B2 (en) * 2016-02-19 2020-06-09 Secureworks Corp. System and method for detecting and monitoring process creation
US10855696B2 (en) 2016-03-02 2020-12-01 Shape Security, Inc. Variable runtime transpilation
US10567363B1 (en) 2016-03-03 2020-02-18 Shape Security, Inc. Deterministic reproduction of system state using seeded pseudo-random number generators
US9917850B2 (en) 2016-03-03 2018-03-13 Shape Security, Inc. Deterministic reproduction of client/server computer state or output sent to one or more client computers
US10129289B1 (en) 2016-03-11 2018-11-13 Shape Security, Inc. Mitigating attacks on server computers by enforcing platform policies on client computers
US10032023B1 (en) * 2016-03-25 2018-07-24 Symantec Corporation Systems and methods for selectively applying malware signatures
US10432652B1 (en) 2016-09-20 2019-10-01 F5 Networks, Inc. Methods for detecting and mitigating malicious network behavior and devices thereof
US9734337B1 (en) * 2017-01-24 2017-08-15 Malwarebytes Inc. Behavior-based ransomware detection
US11038869B1 (en) 2017-05-12 2021-06-15 F5 Networks, Inc. Methods for managing a federated identity environment based on application availability and devices thereof
US10691800B2 (en) * 2017-09-29 2020-06-23 AO Kaspersky Lab System and method for detection of malicious code in the address space of processes
US10931691B1 (en) 2017-10-09 2021-02-23 F5 Networks, Inc. Methods for detecting and mitigating brute force credential stuffing attacks and devices thereof
US11539740B1 (en) 2018-02-02 2022-12-27 F5, Inc. Methods for protecting CPU during DDoS attack and devices thereof
US11349981B1 (en) 2019-10-30 2022-05-31 F5, Inc. Methods for optimizing multimedia communication and devices thereof

Citations (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6698016B1 (en) * 2000-08-29 2004-02-24 Microsoft Corporation Method for injecting code into another process
US6907531B1 (en) 2000-06-30 2005-06-14 Internet Security Systems, Inc. Method and system for identifying, fixing, and updating security vulnerabilities
US20050172338A1 (en) 2004-01-30 2005-08-04 Sandu Catalin D. System and method for detecting malware in executable scripts according to its functionality
US20060031673A1 (en) * 2004-07-23 2006-02-09 Microsoft Corporation Method and system for detecting infection of an operating system
US7036147B1 (en) 2001-12-20 2006-04-25 Mcafee, Inc. System, method and computer program product for eliminating disk read time during virus scanning
US20060230388A1 (en) 2005-04-08 2006-10-12 Hatlelid Kristjan E System and method for foreign code detection
US20060265749A1 (en) * 2003-04-14 2006-11-23 Seok-Chul Kwon Method for removing viruses infecting memory, computer-readable storage medium recorded with virus-removing program, and virus-removing apparatus
US20070044153A1 (en) 2005-08-19 2007-02-22 Sun Microsystems, Inc. Computer security technique employing patch with detection and/or characterization mechanism for exploit of patched vulnerability
US7188367B1 (en) 2001-03-30 2007-03-06 Moafee, Inc. Virus scanning prioritization using pre-processor checking
US20070101432A1 (en) 2005-10-28 2007-05-03 Microsoft Corporation Risk driven compliance management
US20070101335A1 (en) * 2005-11-03 2007-05-03 Microsoft Corporation Identifying separate threads executing within a single process
US20070107057A1 (en) 2005-11-10 2007-05-10 Docomo Communications Laboratories Usa, Inc. Method and apparatus for detecting and preventing unsafe behavior of javascript programs
US7237008B1 (en) 2002-05-10 2007-06-26 Mcafee, Inc. Detecting malware carried by an e-mail message
US7269851B2 (en) 2002-01-07 2007-09-11 Mcafee, Inc. Managing malware protection upon a computer network
WO2007133178A2 (en) 2006-04-21 2007-11-22 The Trustees Of Columbia University In The City Of New York Systems and methods for inhibiting attacks on applications
US20080016339A1 (en) 2006-06-29 2008-01-17 Jayant Shukla Application Sandbox to Detect, Remove, and Prevent Malware
US7398553B1 (en) * 2000-10-30 2008-07-08 Tread Micro, Inc. Scripting virus scan engine
US20090049550A1 (en) * 2007-06-18 2009-02-19 Pc Tools Technology Pty Ltd Method of detecting and blocking malicious activity
US7496904B2 (en) * 2003-06-26 2009-02-24 Microsoft Corporation Mining dependencies for testing and risk management
US20090089040A1 (en) * 2007-10-02 2009-04-02 Monastyrsky Alexey V System and method for detecting multi-component malware
US7797702B1 (en) * 2005-02-22 2010-09-14 Symantec Corporation Preventing execution of remotely injected threads

Patent Citations (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6907531B1 (en) 2000-06-30 2005-06-14 Internet Security Systems, Inc. Method and system for identifying, fixing, and updating security vulnerabilities
US6698016B1 (en) * 2000-08-29 2004-02-24 Microsoft Corporation Method for injecting code into another process
US7398553B1 (en) * 2000-10-30 2008-07-08 Tread Micro, Inc. Scripting virus scan engine
US7188367B1 (en) 2001-03-30 2007-03-06 Moafee, Inc. Virus scanning prioritization using pre-processor checking
US7036147B1 (en) 2001-12-20 2006-04-25 Mcafee, Inc. System, method and computer program product for eliminating disk read time during virus scanning
US7269851B2 (en) 2002-01-07 2007-09-11 Mcafee, Inc. Managing malware protection upon a computer network
US7237008B1 (en) 2002-05-10 2007-06-26 Mcafee, Inc. Detecting malware carried by an e-mail message
US20060265749A1 (en) * 2003-04-14 2006-11-23 Seok-Chul Kwon Method for removing viruses infecting memory, computer-readable storage medium recorded with virus-removing program, and virus-removing apparatus
US7496904B2 (en) * 2003-06-26 2009-02-24 Microsoft Corporation Mining dependencies for testing and risk management
US20050172338A1 (en) 2004-01-30 2005-08-04 Sandu Catalin D. System and method for detecting malware in executable scripts according to its functionality
US20060031673A1 (en) * 2004-07-23 2006-02-09 Microsoft Corporation Method and system for detecting infection of an operating system
US7797702B1 (en) * 2005-02-22 2010-09-14 Symantec Corporation Preventing execution of remotely injected threads
US20060230388A1 (en) 2005-04-08 2006-10-12 Hatlelid Kristjan E System and method for foreign code detection
US20070044153A1 (en) 2005-08-19 2007-02-22 Sun Microsystems, Inc. Computer security technique employing patch with detection and/or characterization mechanism for exploit of patched vulnerability
US20070101432A1 (en) 2005-10-28 2007-05-03 Microsoft Corporation Risk driven compliance management
US20070101335A1 (en) * 2005-11-03 2007-05-03 Microsoft Corporation Identifying separate threads executing within a single process
US20070107057A1 (en) 2005-11-10 2007-05-10 Docomo Communications Laboratories Usa, Inc. Method and apparatus for detecting and preventing unsafe behavior of javascript programs
WO2007133178A2 (en) 2006-04-21 2007-11-22 The Trustees Of Columbia University In The City Of New York Systems and methods for inhibiting attacks on applications
US20080016339A1 (en) 2006-06-29 2008-01-17 Jayant Shukla Application Sandbox to Detect, Remove, and Prevent Malware
US20090049550A1 (en) * 2007-06-18 2009-02-19 Pc Tools Technology Pty Ltd Method of detecting and blocking malicious activity
US20090089040A1 (en) * 2007-10-02 2009-04-02 Monastyrsky Alexey V System and method for detecting multi-component malware

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Chen, et al., "Spatial-Temporal Modeling of Malware Propagation in Networks", National Science Foundation under Grant ECS-0334759 and Georgia Tech Broadband, 2004. pp. 1-12.
Florio, et al."When Malware Meets Rootkits", Symantec Security Response, Dublin. Originally published by Virus Bulletin, Dec. 2005. pp. 1-16.
Schuster, "Searching for processes and threads in Microsoft Windows memory dumps", 2006 DFRWS. Published by Elsevier Ltd. pp. 1-7.

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140150102A1 (en) * 2012-11-29 2014-05-29 At&T Intellectual Property I, L.P. Detecting altered applications using network traffic data
US8973139B2 (en) * 2012-11-29 2015-03-03 At&T Intellectual Property I, L.P. Detecting altered applications using network traffic data
US9300685B2 (en) 2012-11-29 2016-03-29 At&T Intellectual Property I, L.P. Detecting altered applications using network traffic data
US20150047044A1 (en) * 2013-08-06 2015-02-12 Medknex Software, Llc System and methods for protecting and using digital data
US10496812B2 (en) 2013-09-06 2019-12-03 Michael Guidry Systems and methods for security in computer systems
US10783247B1 (en) * 2017-02-21 2020-09-22 Triad National Security, Llc Software classification using phylogenetic techniques
US10664594B2 (en) 2017-06-30 2020-05-26 Microsoft Technology Licensing, Llc Accelerated code injection detection using operating system controlled memory attributes
US20190294796A1 (en) * 2018-03-23 2019-09-26 Microsoft Technology Licensing, Llc Resolving anomalies for network applications using code injection

Also Published As

Publication number Publication date
US20090199297A1 (en) 2009-08-06

Similar Documents

Publication Publication Date Title
US8387139B2 (en) Thread scanning and patching to disable injected malware threats
US10291634B2 (en) System and method for determining summary events of an attack
EP3430556B1 (en) System and method for process hollowing detection
EP3430557B1 (en) System and method for reverse command shell detection
EP2486507B1 (en) Malware detection by application monitoring
Lu et al. Blade: an attack-agnostic approach for preventing drive-by malware infections
Wang et al. Detecting stealth software with strider ghostbuster
AU2014393471B2 (en) Systems and methods for using a reputation indicator to facilitate malware scanning
US11232201B2 (en) Cloud based just in time memory analysis for malware detection
US8195953B1 (en) Computer program with built-in malware protection
US8719924B1 (en) Method and apparatus for detecting harmful software
US8239944B1 (en) Reducing malware signature set size through server-side processing
US8719935B2 (en) Mitigating false positives in malware detection
US20080016339A1 (en) Application Sandbox to Detect, Remove, and Prevent Malware
Kapravelos et al. Escape from monkey island: Evading high-interaction honeyclients
Shan et al. Safe side effects commitment for OS-level virtualization
Shan et al. Malware clearance for secure commitment of OS-level virtual machines
Afreen et al. Analysis of fileless malware and its evasive behavior
GB2510701A (en) Detecting malware code injection by determining whether return address on stack thread points to suspicious memory area
Shan et al. Enforcing mandatory access control in commodity OS to disable malware
US8201253B1 (en) Performing security functions when a process is created
US7840958B1 (en) Preventing spyware installation
Pan et al. PMCAP: a threat model of process memory data on the windows operating system
Kaur Network Security: Anti-virus.
Li et al. Agis: Towards automatic generation of infection signatures

Legal Events

Date Code Title Description
AS Assignment

Owner name: MICROSOFT CORPORATION, WASHINGTON

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:JARRETT, MICHAEL S.;MARINESCU, ADRIAN M;GHEORGHESCU, MARIUS GHEORGHE;AND OTHERS;REEL/FRAME:021426/0322;SIGNING DATES FROM 20080222 TO 20080225

Owner name: MICROSOFT CORPORATION, WASHINGTON

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:JARRETT, MICHAEL S.;MARINESCU, ADRIAN M;GHEORGHESCU, MARIUS GHEORGHE;AND OTHERS;SIGNING DATES FROM 20080222 TO 20080225;REEL/FRAME:021426/0322

STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: MICROSOFT TECHNOLOGY LICENSING, LLC, WASHINGTON

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MICROSOFT CORPORATION;REEL/FRAME:034542/0001

Effective date: 20141014

FPAY Fee payment

Year of fee payment: 4

FEPP Fee payment procedure

Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

LAPS Lapse for failure to pay maintenance fees

Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FP Lapsed due to failure to pay maintenance fee

Effective date: 20210226